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Preface 



The 9th Australasian Conference on Information Security and Privacy (ACISP 
2004) was held in Sydney, 13-15 July, 2004. The conference was sponsored by 
the Centre for Advanced Computing - Algorithms and Cryptography (AC AC), 
Information and Networked Security Systems Research (INSS), Macquarie Uni- 
versity and the Australian Computer Society. 

The aims of the conference are to bring together researchers and practitioners 
working in areas of information security and privacy from universities, industry 
and government sectors. The conference program covered a range of aspects 
including cryptography, cryptanalysis, systems and network security. 

The program committee accepted 41 papers from 195 submissions. The re- 
viewing process took six weeks and each paper was carefully evaluated by at 
least three members of the program committee. We appreciate the hard work 
of the members of the program committee and external referees who gave many 
hours of their valuable time. 

Of the accepted papers, there were nine from Korea, six from Australia, five 
each from Japan and the USA, three each from China and Singapore, two each 
from Canada and Switzerland, and one each from Belgium, France, Germany, 
Taiwan, The Netherlands and the UK. All the authors, whether or not their 
papers were accepted, made valued contributions to the conference. 

In addition to the contributed papers, Dr Arjen Lenstra gave an invited talk, 
entitled Likely and Unlikely Progress in Factoring. 

This year the program committee introduced the Best Student Paper Award. 
The winner of the prize for the Best Student Paper was Yan-Clreng Chang from 
Harvard University for his paper Single Database Private Information Retrieval 
with Logarithmic Communication. 

We would like to thank all the people involved in organizing this conference. 
In particular we would like to thank members of the organizing committee for 
their time and efforts, Andrina Brennan, Vijayakrishnan Pasupathinathan, Har- 
tono Kurnio, Cecily Lenton, and members from ACAC and INSS. 
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Abstract. Multi-service oriented broadcast encryption is a mechanism 
that allows a center to securely distribute multiple services to its autho- 
rized users. In this paper, we suggest a framework called M framework 
from the subset cover method [12] using RSA exponentiation technique. 
In this framework, each user’s secret storage is independent of the num- 
ber of services. Service subscriptions and service providing can be effi- 
ciently processed. The service unsubscriptions are dealt scalably. A small 
number of service unsubscriptions can be handled without key updating 
while the number of such users reaches a threshold, a rekeying algorithm 
is proposed to update the user’s service memberships explicitly. We for- 
malize and prove the framework is dynamically secure under the random 
oracle model. We realize our framework with a scheme based on complete 
subtree method. 



1 Introduction 

Broadcast encryption is a mechanism that allows one party to securely distribute 
his data to privileged users. This mechanism has important applications in Pay- 
TV, stock quotes and online database, etc. After the work by Fiat and Naor in 
1993 [9], it has been extensively studied in the literature, for example, schemes for 
stateless receivers [1,12], public key based schemes [2,6,14] and rekeying schemes 
[16,15,4,10]. 

In this paper, we consider the multi-service oriented broadcast encryption 
(MOBE), which is explained as follows. Suppose that a broadcast center (BC) 
wants to distribute multiple services to a set of users such that each user is 
allowed to access a specific service if and only if he has subscribed to it. Here 
the security concerns are traitor tracing, service unsubscriptions, etc. A possible 
solution is to associate each service with a distinct system (in a single service 
setting). The main problem here is that a user’s secret storage is proportional 
to the number of his subscribed services. 

1.1 Related Work 

MOBE problem is related to flexible access control by Chick and Tavares [5] , 
where each user is assigned a master key using RSA exponentiation technique 
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that allows him to access his subscribed services. However, users get an identical 
key set if they subscribe the same services. Thus, it is impossible to distinguish 
such users. Consequently, traitor tracing and service unsubscriptions are not 
achievable. 

Narayanan, et al. [13] considered a multi-service notion called practical Pay- 
TV scheme. They proposed three schemes. The third one is the most interesting 
scheme which is secure and has traceability. However, their scheme is only suit- 
able for application with a small number of services since the user key size is 
linear in the number of subscribed services. Furthermore, their service unsub- 
scription utilizes a unicast channel. It follows that it is not suitable for appli- 
cations with a large number of users or applications with frequent membership 
updating. The second scheme claimed the collusion can not compute the secret 
associated with service i. But we show that this is incorrect in the full paper 
[ 11 ]- 



1.2 Contribution 

In this paper, we propose a framework called A! framework for MOBE problem. 
We first achieve the multi-service functionality from the subset cover method [12] 
(in the single service setting) using RSA exponentiation technique. But this is not 
sufficient since it might become less efficient( e.g., the message overhead grows 
large; it increases management burdens; revoked IDs can not be reused) when 
unsubscription is frequent, due to lack of a rekeying mechanism. We thus propose 
a multi-service rekeying algorithm by extending a rekeying framework [7,10]. In 
the obtained full framework, user key size in At is independent of the number of 
services. Subscription and new service providing are handled without involving 
unintended users. Furthermore, service unsubscription is handled scalably, which 
makes the system flexible. To gain a better understanding of this framework, we 
realize it by an efficient scheme A4 CS , which is based on a complete subtree 
method [12]. Finally, in order to evaluate the security of our framework, we 
formalize a notion of dynamic security. It captures threats from an adaptive 
adversary that might issue queries such as subscription, rekeying, corruption 
and new service providing. We show that At framework is secure under such a 
severe attack. Our proof is in the random oracle model. 

This paper is organized as follows. In Section 2, we introduce our At frame- 
work and show their features. In Sections 3, we present a realization of At 
framework, from complete subtree method. In Section 4, we formalize and prove 
the dynamic security of At framework. 



2 A Framework for Multi-service Oriented Broadcast 
Encryption 

In this section, we introduce our A4 framework for MOBE problem and show 
some advantages of this framework. 
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2.1 Description of A4 Framework 

Let U be the set of all possible users; BC be the broadcast center; w be the 
number of services BC provides. BC wants to provide services {1, • • • , w} with 
a controlled access right. 

Preprocessing Phase 

1. BC chooses a RSA composite N = pq and w primes pi, P 2 , ■ ■ ■ ,p w , where 
p , q are two large primes. Then he makes N,p\, ■ ■ ■ ,p w public and keeps p, q 
secret. 

2. BC defines a collection of subsets of U: Si, S 2 , ■ ■ • , S z , where z is polyno- 
mially bounded. For security reason, we require that {tt} is contained in 
the collection for all u € U. Then BC associates Sj with a secret number 
k iy i= 1 

3. BC defines Q = JX“li Pi- Let {1, 2, • • • , w} be the set of services cur- 
rently available, B(u) be the set of services user u has subscribed, 

z (u) =n i£B(u)Pi’ and K ( u ) = {k® /Z[u) (mod N)\u& S u i = 



Note that without a special mention in this paper we always assume that the 
exponentiation is carried out over modular N. 

Join Phase. When a new person asks for join, BC first finds a free ID 
u € U and assigns K(u) and a random subscription key c u to this per- 
son. Here c u is only for subscription use and remains unchanged as long as 
he is in the system. We denote this person simply by u when the context is clear. 

Broadcast Phase. Let Ui be the set of all the users that subscribe service 
i. When BC wants to broadcast message M of service i to all users in Ui\Ri, 
for some Ri C Ui, he first finds a set cover , Si 2 , ■ ■ ■ , Si m for U\Ri , i.e., 
Si x U Si 2 U • • • U Si m = U\Ri . He then forms the ciphertext as 

Hi(Ri,M) := {ix, ■ ■ ■ ,i m , E skii ^(k), ■ ■ ■ , E skim t (k), F k (M)), (1) 

where sfc.qy = f(k®/ Pt ), E and F are two encryption algorithms (usually E has 
a higher security than F), f : Z* N {0, 1} L is a public hash function where L 
is the key size of E. 

Decryption Phase. When receiving 'H,(f?i,M), a user u in Ui\Ri(C. U\Ri ) 
first finds j such that u € Si r Since u has kf/ Z ^ u \ he can compute sfeqy and 
obtain message M. 

Subscribing More Services. We now show that it is convenient for an ex- 
isting user u to subscribe more services. Suppose u wants to add service j to 
B(u). He first updates B(u) to B'(v) = B(v) U {j}, Z(u) to Z'(u) = Z(u) x pj. 
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BC then provides a key set {kf^ Pl \u e Si, i = 1, • • • , zj to u encrypted un- 
der the subscription key c u . When u gets this key set, he can update K(u) to 
K'(u) := {kf^ z ( “V £ 5 'i,i = 1 as follows. He finds integers a,b using 

the Euclidean algorithm such that pj a + bZ (u) = 1 and then computes 

( ■ k Q/Z(u)ja( k Q/p S jb = k aQ/Z(u)+bQ/ Pj = y(Pi»+^(«)6) = fc Q/Z» . 

It is clear that K'[u ) is the current key set for user u. For simplicity, we still 
denote the updated parameters as K(u), B(u), Z(u), respectively. 

Service Unsubscription. Some users R[ may quit service i at some moment. 
The main concern is to prevent them from access to it again after their leave. 
If the size of R! i is small, this can be handled without updating other users’ 
secret information. Specifically, in the broadcast phase, BC can use a set Ri 
containing R[ as the excluding set. However, as mentioned in the introduction, 
when the size of R[ grows large, this method is inefficient. In our method, we 
propose an extension of a rekeying algorithm [7] to explicitly update users’ 
service memberships, see the rekeying phase. 

Providing New Services. We show that it is convenient for BC to provide 
a new service (w + 1). To do this, BC first finds a prime number p w+ 1 and 
updates Q to Q' = Q x p w+ 1 . Then he computes q w +i = p~]_ 1 (mod </>(7V)), 
where </>(•) is the Euler function. For each fc,;, he computes k\ := kf ,1+1 . 
For an existing user u, his secret key information keeps invariant since 
k'f = £.Q/ z (“)_ if u wan f s to subscribes service (■ w + 1), BC provides p w +i 
and {k'f t pw + 1 |u g Si, i = 1, • • • , zj to him, encrypted under c u . Then u updates 
B(u), Z{u),K(u). 

As a summary, providing a service does not affect an existing user’s activity 
or even he does not need to know about this new service. On the other hand, 
subscribing this new service is as easy as subscribing an existing service. 

Rekeying Phase. When the size of the set Ri for quitting a certain service i 
grows large, the system will become inefficient. Thus it is desired to permanently 
update users’ service memberships. Let A : JJ — > {1, • • • , w} be a function such 
that A(u) is the set of services that u will quit in this rekeying event. Note that 
revoking an illegal user is looked as quitting all the services. Now we extend 
a rekeying algorithm in [7] to the multi-service setting. We remark that the 
rekeying algorithm in [7] is an extension of that in [10]. Let R be the set of 
users that will quit at least one service. Then for a given pair (R,A), we can 
simultaneously update every user’s key information (for all possible services) . In 
order to present the algorithm in a clear way, we introduce some notations. 

Definition 1. Define C{kf) to be the minimal subset of {fci, ■ ■ ■ ,k z } containing 
hi such that generation process for elements in C{kf) shares no random bits with 
generation process for elements in { Ai , • • • , k z }\C(ki). 
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Since k^ Pl needs updating if and only if kt needs updating, we only need to 
determine the exact subset of {k\, • • • , k z } that needs updating. In fact we have 
the following lemma. The proof can be found in the full paper [11]. 

Lemma 1. 1. G(fcj) and C(kj) are either disjoint or identical. 

2 . Let R he the set of users that will quit at least one service, then the exact 
subset of {ki, • • • , k z } that need updating is 

From this lemma, we see that the exact subset G to be updated is only 
dependent on R instead of (R, A). For future easy presentation reason, we would 
like to use the exact subcollection whose corresponding keys need updating. And 
denote this subcollection as D(R). I.e., D(R) := {Si : ki G G}. 

Definition 2. Let Si , ■ ■ ■ , S z be the subsets defined in the preprocessing phase. 
We say that Si has a level l if there exists a chain of length l for Si : 

S ix C S i2 C ••• C Si,., C S h (2) 

where i\, ii, ■ ■ ■ , ii~i,i are distinct; and there is no such a chain of length l + 1. 
We use C to represent a proper subsef . 



Definition 3. For two subsets Si and Sj with Si C Sj, if there exists no S t 
such that Si C St C Sj , then we say Si is a child of Sj . 

Let L be the maximal level for subsets Si, ■ ■ ■ , S z . Our rekeying algorithm is 
described as Table 1. 

The figure 1 graphically demonstrates this rekeying process. In this figure 
R = {iti, U2, U4, W5} (note that subsets not involved in the rekeying event are 
omitted in the graph) . And u± , 114 will quit service j while u-i and u$ are still 
legal users for it. Thus U2(resp. u 5) decrypts the ciphertext in the box and gets 
the key k!^^ 3 (resp. k'^^ 3 ). Then he uses this key for further updating. 

The following lemma shows the completeness of the rekeying algorithm. 

Lemma 2. Any new service key k!^ V3 is received by his designated users. 

2.2 Performance 

Now we discuss some performance of our framework. Other parameters, 
e.g., broadcast overhead, rekeying complexity, can be clear only in a specific 
construction. 

User Storage. From the key assignment, we know that user private storage is 
at most |AT(w)| + l 1 thus is independent of the number of services. On the other 
hand, an efficient representation of primes could be achieved by a generation 

1 Note the actual storage might be smaller than this(e.g., a construction based Asano 
method [1]). We omit in the current version due to the presentation complexity. 
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Table 1 . Rekeying Algorithm 



1. BC first updates B(u), Z(u) for all u £ R, where R is the set of users that will 
quit one or more services according to A. For simplicity, we still use symbols 
B(u), Z(u) after updating. Note that revoking an illegal user is considered as a 
case that he quits all the services. 

2. Determine D{R). 

3. For each service j s= 1, • • • , w, do the following: 

For each set Si £ D(R) at level 1 do 

Let Si = {«}. Send E s k t to u if j £ B(u) where skij = 

For l = 2, • • • , L do 

For each set Si £ D(R) at level l do 

For each child St of Si, broadcast E s y to all users in St if at 

least one user in St is privileged for service j. Here sk' t j = f(k' t ^^ Pj ), 
where k' t = kt. if it is not updated; otherwise, it is the updated value. 



program. Thus the corresponding memory can be regarded as negligible. Thus, 
our framework has an important gain over the method using an indecent system 
for each service, especially when the number of services is large. 

Flexible Subscription/Unsubscription. In our method, subscription has no 
interference with other users. Service unsubscription is scalable. A small number 
of service unsubscriptions can be treated without key updating while if such a 
number reaches a threshold, rekeying algorithm can update user key set explic- 
itly. Such a scalability indeed avoids inefficiency problems occurred in a stateless 
scheme when unsubscriptions are frequent (e.g., incremental management bur- 
den, reduced capacity of users). 

Traitor Tracing. Traitor tracing is an algorithm for finding illegal users who 
help build a pirate decoder with their secret keys. Naor et al. [12] presented a 
subset tracing algorithm to locate the traitors in logarithmic time if the system 
is secure and satisfies a bifurcation property. In our system, we can apply their 
algorithm for each service. Notice that the bifurcation is a property of the set 
collection Si, ■ • ■ , S z . Thus, an efficient tracing procedure in their single setting 
implies an efficient one in our multi-service setting. If we suppose the encryption 
algorithms in the broadcast phase are ideal, then violation of the security of this 
tracing procedure implies that the capability for traitors to compute a service 
key which they are not entitled to. However, in our system a dynamic secu- 
rity guarantees that adversary has only a negligible success probability. Thus, a 
dynamic security implies the security of the tracing algorithm. 
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Fig. 1. A Small Example for Rekeying Process 



3 A ics Scheme 

Complete Subtree (CS) broadcast encryption scheme for stateless receivers was 
proposed by Naor, et al. [12], which is a single service oriented scheme. Specifi- 
cally, BC first builds a complete binary tree TR. Let its nodes be V\, ■ ■ ■ , V 2 n ~\ 
in width first order. Let the leaves v n , • • • , i’ 2 n-i represent users u\, ■ ■ ■ u n . Then, 
he puts a random key kj at each node Vi. A user’s secret key set is composed of 
the keys on the path from the root to this user inclusive. 

If we let Si be the users rooted at node Vi, the multi-service scheme 
A4 CS can be obtained from the above CS method as follow. Assume that 
N,pi, ■ ■ ■ ,p w , B(u), Z(u) and Q are defined as in the framework. For ID u, 
K(u) = {k^ Z ^\u £ Si,i = 1, • • • , z}. Message broadcast, decryption, User 
joining, Subscribing more services, service unsubscriptions and providing new 
services can be done as specified in A4 framework. Next we present our rekeying 
algorithm. 

Rekeying Algorithm. It is clear that the maximal level among that of subsets 
Si,-- - , S- 2 n-i is L = 1 + log n. Since the fact that Si has level l is equivalent to 
say Vi at depth L — l. Suppose that the users in R have one or more services 
to quit. Note that a different user can quite arbitrary services of his choice. 
Our rekeying algorithm can handle the service quitting for all R simultaneously, 
see Table 2. This algorithm actually is an extension of [10] to the multi-service 
setting. We remark that in the single service setting, the algorithm for one user 
quitting was proposed in [3,16]. 
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Table 2. Rekeying Algorithm for At cs 



1. BC updates B( u), Z(u) for all u £ R (but we still use these symbols for simplic- 
ity). Then he finds Steiner(R) (i.e., the smallest subtree in TR that includes R 
and the root) and for each Vi £ Steiner(R) he updates ki to a random number 
k\ of the same length. 

2. For service j = 1, • - Ay w do the following: 

(i) For each v £ Steiner(R) at depth L — 1 do 

Suppose Si = {«}. BC sends E s k t to v if j £ B(v). 

(ii) For l = L — 2, • • • , 0 do 

For each node v l £ Steiner(R) at depth l , 

BC updates ki to a random key k\\ 

For each child Vb of Vi, he 

sends E s k' b . (k '®/ pj ) to all users rooted at Vb if 3 a privileged user; where 

sk' b j = and k'b is the current associated random number for 

Vb if it is updated; otherwise, k\ = kb- 



3.1 Performance 

Now we briefly summarize the performance of At cs . The following parameters 
are of main concerns: (1) user secret storage, (2) the message overhead in the 
broadcast phase, i.e. the number of the cover sets used there, and (3) the number 
of rekeying ciphertexts, representing the computational complexity at the server 
and the number of times to use a broadcast channel. In At cs , a user only needs to 
store 1+log n secret keys in K(u). Additionally, he should store Pi, • • • ,p w ,N and 
B(u) (as before, when w is large, primes Pi’s can be represented by a generation 
program). The message overhead in the broadcast phase is r log (n/r), where 
r = The number of rekeying ciphertexts is upperbounded by rudog(n/r)) 
for r = |J?|. This can be easily proved by induction. Notice r for R or Ri is 
always less than a threshold. Thus, these two parameters can always be controlled 
small. Furthermore, the traceability property inherits from that of the original 
CS method, due to its dynamic security (see security section). 



4 Security 

In this section, we investigate the security of our At framework. We only consider 
the security threats from the dynamic feature of key assignments. We first give a 
primitive notion of key computational infeasibility property, which is similar to 
the notion of key indistinguishability [12] . Then we formalize an adversary model 
for At framework and analyze the dynamic security of At framework under the 
random oracle model. 
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Definition 4. Let A be any probabilistic polynomial time (PPT) adversary 
against the (static) key assignment of Ai scheme. And let {pi, ■ ■ ■ ,p v } be the 
set of primes currently used to define the service keys. Let kt be the key asso- 
ciated with S tl t = 1, ■ ■ ■ , z. A first chooses a pair ( i,j ). Then he receives all 
kt for St <?» and all k Pl for all S r C Si. The Ai scheme is said to satisfy 
key computational infeasibility (KCI) property if the success probability of A is 
negligible. 

We are now ready to formalize an adversary model to Ai framework, for which 
the KCI property is not affected by the dynamic feature of key assignments. 
In other words, we consider that A can issue four types of queries: corrupting 
existing users, providing new services, subscribing more services, running the 
rekeying algorithm. As a response, the ciphertexts in case of the last two events 
will be provided to the adversary. Upon corruption, the corrupted user’s secret 
key set as well as his subscription key will be provided to adversary. After in- 
teraction with the challenger for a while, he announces to attack on a specific 
service key. He then tries to compute the target. The Ad scheme is said to be 
dynamically secure if the success probability of A is negligible. Formally, 

Definition 5. Let A be a PPT adversary against Ai scheme. We let u € U 
always represent the user who is currently using it. A first choose ( i,j ) as his 
target. Then A can issue the following queries. 

1. He can request to provide a new service. As a response, the challenger 
will choose a new prime p w +i and then update k r to k' r = kr m+1 , where 
q w+ 1 = p“ +1 (mod 4>{N)) and w is the number of existing services. Then 
he provides p w+ 1 to A. 

2. He can ask to subscribe a new service J on behalf of some user u. As a 
response, A will receive the ciphertext E Cu {{k^ PJ : u € S r , r = 1, • • • , z}). 

3. He can ask to execute the rekeying algorithm on ( R , A) of his choice, where 
A : R — > {1, • • • , w} is a function such that A(u) is the set of services that 
u will quit in this query. As a response, he will receive all the ciphertexts in 
this rekeying event. 

f. He can ask to corrupt a user u. As a response, A will receive K(u) as well 
as c u . 

After interaction with the challenger for a while, A can announce to attack as 
long as no user in Si, who is privileged for service j, is corrupted at the present 
time. Al scheme is said to be dynamically secure if the success probability for A 
to compute kf^ Pj is only negligible. 



Remark 1. Two clarifications follow here. 

1. When adversary announces to attack, we require that currently corrupted 
persons should not be privileged for service j. This is reasonable since such 
a person directly has k^ Pl . Obviously, success by this does not imply the 
weakness of the system. On the other hand, we stress that we indeed allow a 
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user to be corrupted at some earlier time but later purged from the system 
(recall that revoking a user is looked as quitting all the services). 

2. We require the adversary to select his target pair (i. j) before his interaction. 
This has the same power as an adversary who chooses his target adaptively. 
The reason is that a non-adaptive adversary always can correctly guess the 
target pair of an adaptive adversary with non-negligible probability. 

By the above security model, we have the following theorem. The proof can 
be found in the full paper [11]. 

Theorem 1. Assume that E is semantically secure against chosen plaintext at- 
tack (IND-CPA). Let /() he a random oracle. For any i, C(ki) is distributed 
exactly the same as {kf\kj € C(kf)}, i = 1, • • • , z, where a is coprime with 4>(N). 
If the (static) key assignment of Ai satisfies KCI property, then it is dynamically 
secure. 

Based on Theorem 1, we can easily conclude the security of A4 CS . 

Corollary 1. If k i is uniformly random in Z^, i = 1, • • • , z, and E is secure 
against CPA attack, then AA CS is dynamically secure. 
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Abstract. In ACISP 2003, Hwang et al. proposed a broadcast en- 
cryption scheme, which is a modification of the Subset Difference (SD) 
method. In this paper we present how their scheme can be broached in 
a way a collusion of two receivers can obtain other receivers’ keys which 
are not given to any of the colluding receivers. We also propose a new 
method using trapdoor one-way permutations to reduce the storage over- 
head in the SD and Layered SD methods. This new method eliminates 
log N labels from receivers’ storage, where N is the total number of re- 
ceivers. The method requires few public values and little computational 
overhead. 



1 Introduction 

Broadcast encryption schemes, introduced by Berkovits [4] and Fiat et al. [6] 
independently, enable a sender to distribute secret information securely to a 
group of receivers excluding specified revoked receivers over a broadcast chan- 
nel. There are some important criteria to evaluate this technology: the upper 
bound of the number of broadcast ciphertexts (the communication overhead), 
the number of keys each receiver stores (the storage overhead), and the com- 
putational overhead at a receiver. Note that administrators and broadcasters 
usually have much greater memory and computing resources than receivers. 

Wallner et al. [14] and Wong et al. [15] proposed efficient methods for key 
distribution, using a logical key-tree structure. In these methods receivers update 
the keys they store, however giving receivers the mechanism to change their keys 
increases the production cost and might also weaken their security. Hence, meth- 
ods which allow receivers without the ability to change their keys are preferred 
for many applications. Such receivers are called stateless receivers. 

The notion of stateless receivers was introduced by Naor et al. [10], who also 
proposed two efficient methods using a binary key-tree structure. The Complete 
Subtree (CS) method is a direct application of the structure proposed in [14] 
and [15] for stateless receivers. The communication and storage overhead in CS 
are r log ( N/r ) and log N+ 1, respectively, where N and r denote the total num- 
ber of receivers in the scheme and the number of revoked receivers, respectively. 
The second method proposed in [10], the Subset Difference (SD) method, im- 
proves the subset algorithm and the key assignment mechanism of CS using a 
pseudo-random sequence generator. Its communication, storage and computa- 
tional overhead are 2 r — 1, \ log 2 A + \ log N + 1 and O (log N), respectively. 

H. Wang et al. (Eds.): ACISP 2004, LNCS 3108, pp. 12-23, 2004. 

(c) Springer- Verlag Berlin Heidelberg 2004 
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Table 1 . The properties of the original SD and Basic LSD methods, the modifications 
proposed in [2] and in this paper. N, r and M denote the total number of receivers, the 
number of revoked receivers and the modulus of RSA, respectively. ^The computational 
overhead in the original methods is log N applications of a pseudo-random generator 
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4r - 2 
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# labels 


log 3 / 2 N + 1 




log 3 / 2 N - log N + 1 
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O (log ./V)* 


o ( 


max{log 5 N, log 2 N log 2 M}) O (log N log 2 M) 
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- 




O(N) 


0(1) 



Halevy et al. [7] introduced the concept of a layer in order to reduce the stor- 
age overhead of SD, and proposed the Layered Subset Difference (LSD) method. 
The basic version of LSD, the Basic LSD (BLSD) method, reduces the number of 
labels a receiver stores to log 3 / 2 7V+1, while maintaining the communication and 
computational overhead in O (r) and O (log N), respectively. The general version, 
the General LSD (GLSD) method, reduces the number of labels to O (log 1+e N) 
in exchange for an increase in the communication overhead by a constant factor, 
where e is an arbitrary positive number. 

Asano [1] modified CS using an a-ary tree and the master-key technique [5], 
where a is an arbitrary integer satisfying a > 1. One of Asano’s methods re- 
duces the storage overhead and the communication overhead to one key and 
to 1 + v, respectively, in exchange for an increase in the computational 

overhead to O ( 2 /°g a N ) • The master-key technique is also applied to SD and 
LSD in order to eliminate log N labels from receivers’ storage [2] . 

1.1 Our Contribution 

In ACISP 2003, Hwang, Kim and Lee [8] proposed a method for broadcast en- 
cryption schemes. We call it the HKL method and write it as HKL. It modifies the 
subset algorithm and key assignment mechanism of SD. However, it is insecure 
against a collusion of two receivers, as we show in this paper. 

Then we propose a new method to modify SD and LSD. Recently, Nojima et 
al. [12] and Ogata et al. [13] independently modified CS using trapdoor one-way 
permutations based on RSA cryptosystem and reduced the number of node keys 
a receiver stores to one. We apply their concept to SD and LSD. 

Table 1 summarizes the properties (the number of broadcast ciphertexts, the 
number of labels a receiver stores, the computational overhead at a receiver, and 
the total number of public values in the method) of the original SD, BLSD and 
their modifications using the master-key technique proposed in [2] (which are 
denoted by SD-MK and BLSD-MK, respectively), and modifications proposed 
in this paper. Our modifications, as well as SD-MK and BLSD-MK, eliminate 
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log N labels from receivers’ storage in SD and BLSD while maintaining the same 
communication complexity. Although SD-MK and BLSD-MK use O (N) public 
values, ours use only a constant number of public values. The computational 
overhead at receivers in our modifications is smaller compared with these meth- 
ods. Similar to the modification proposed in [2] , our method also eliminates log N 
labels from receivers’ storage in GLSD. 

Attrapadung et al. [3] generalized the key generation mechanism of SD and 
LSD with pseudo-random sequence generators and eliminated log-ZV — x u labels 
from the storage of receiver u (1 < u < N — 1 ) in SD (thus the number of labels 
in their modification becomes \ log 2 iV — \ log N + x u + 1), and log N — x u — y u 
in BLSD, where x u = max{fc : 2 fe |it} and y u = \{j : 1 < j < log N, vdog N \ 
j, 2 J — 2 ^ viog « J ' /log N + 1 < u mod 2 J < 2- J — 1 } | . The advantage of our method 
is the number of labels which can be eliminated ours eliminates log N labels 
from the storage of all receivers. 



Notations. We call the entity which manages the broadcast encryption scheme 
Trusted Center (TC). TC defines a binary tree with N leaves and assigns a 
receiver to each leaf, where N is the total number of receivers and for simplicity 
we assume it is a power of 2. Let path m be the path from the root to a leaf to 
which receiver u m is assigned. In order to represent relationships of nodes, let 
P{i), S (i), LC (i) and RC (i) denote the parent, sibling, left-child and right- 
child node of node i, respectively. The base of “log” is 2, throughout this paper. 



2 The SD Method 



Since both HKL and our method are based on SD, we will briefly explain SD. 
Subset S{ t j used in SD is specified by two nodes, i and j, and defined as Sij = .S)\ 
Sj , where Sj and Sj are sets of receivers assigned to the leaves of a subtree rooted 
at i and its descendant j, respectively. In this arrangement, any combination of 
unrevoked receivers can be covered by a disjoint union of at most 2i — 1 subsets. 
Hence the number of broadcast ciphertexts is at most 2r — 1. 

SD uses pseudo-random sequence generator G : {0, 1} C i-»- {0, 1} 3C \ and the 
concept of label LABELij for subset Sij in order to derive the corresponding 
subset key and other labels. Let Gl(s), Gm (s) and Gr(s ) denote the left, 
middle and right third of the output of G on seed s, respectively. For each internal 
node i, TC chooses element .s, £ {0, 1} C and sets LABEL i L c(i) = Gl(si) 
and LABELi^ R c(i) = G R (si). Labels corresponding to subsets Si^c(j) and 
Si,RC(j) are generated in the same way: LABEL i R c(j ) = Gl {LABELij) and 
LABEL i R c(j ) = G r {LABELij), respectively, where i is an ancestor of j. TC 
generates the labels LABELij for all subsets Sjj by repeating this process. 
Subset key SK t j of subset Sij is defined as SKjj = Gm {LABELij). 

Receiver u m is given labels LABELij such that i is a node on path m and 
j is a descendant of i just hanging off path m . The number of labels a receiver 
stores (including one for the case of no revocation) is \ log 2 N + \ logiV + 1. 
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S k.(i.i) 



Fig. 1 . (A) An example of a subset, (B) Assignment of primes in HKL 



3 The HKL Method 



In HKL, a subset is defined in a similar way as in SD but using three nodes — Vk, 
Vi and Vj — as SL(i,j) = Sk\(Si U Sj), where Vk is the least common ancestor of 
Vi and Vj, and V/~ is located at level 2 or higher. Figure 1 (A) shows an example of 
a subset. In addition, HKL defines three special subsets: subset Sall consisting 
of all receivers in the scheme, subset Slh consisting of receivers assigned to 
leaves on the left half of the tree, and subset Srh consisting of receivers on the 
right half. 

TC chooses two large primes and publishes their product M. It uni- 
formly chooses I\k (s Z * M ) for each node Vk located at level 2 or higher. It 
also publishes one-way hash function H, and 4 (log N — 1) primes {Pxyz ■ 
gcd (P X yz, <f> (Af)) = 1,X e {L,R},Y e {1,... , log IV- 1},Z E {l,r}}. Prime 
Pxyz corresponds to an edge from node v w to its child node, where v w is lo- 
cated on the X side (namely, L: left or R: right ) half at the level of depth Y in 
a subtree rooted at Vk, and the child node is on the Z side (namely, l: left or r: 
right ) of v w . Figure 1 (B) shows the correspondence between node Vk and primes 
Pxyz- For example, prime Pl\ t corresponds to an edge from the left child of Vk 
(this is v w in the above description) to its right child (i. e. vf). 

Subset key SK k ^ t j) of subset is calculated from its index ) as 

SK k ^ij\ = H ( Ik,(i,j ))■ Here, the index is defined as Ik,(i,j) = mod M, 

where Df-^ij) is a product of the primes corresponding to the edges on two paths: 
from Vk to Vi and from v k to Vj. For example, we have D k = PLirPmrPR 2 r 
and Ik,(i,j) = K k LlrPmrPR2r mod M for three nodes v k , Vj and Vj in Fig. 1 (B). 

In this arrangement, index Ik,(i',j’) and subset key SKk t (i\ji) are easily com- 
puted from index Ik,u,j ), where node Vi> equals to v, or its descendant, and Vji 
equals to Vj or its descendant. Let us look at another node Vf in Fig. 1 (B), which 
is the left child of ty . For subset Sk,(fj), we have D k ^fj) = PLirPL 2 iPmrPR 2 r 
and Ik\f,j) = K PLlrPL2lPairPR2r mod M. If a receiver has index it can 

derive index I k ,{f,j) as = I kjilf) ,Dk< ' i ’ i) mod M = ^(ij) mod M > and 

compute the corresponding subset key as SK k ^fj) = H (l k 
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Fig. 2. The structure of HKL 



Receiver u rrl is given indices Ik,(i,j) such that: (1) node Vk is located on path m 
at level 2 or higher, (2) node Vi is a child node of Vk just hanging off path m , and 
(3) node Vj, just hanging oSpath m , is a child node of another node v t , where Vt is 
a descendant of Vk and located on path m . The receiver stores | log 2 N — \ log N 
indices and two keys for special subsets. 



Example. An example construction with N = 16 given in [8] is depicted in 
Fig. 2. Receiver u m (m = 1, . . . , 9,o, ... ,g) assigned to leaf v m is given the 
following secret indices and keys. Note that node v xy in the figure denotes the 
root of a minimum subtree containing all leaves from v x to v y , and K xy is 
an element in Z* M chosen for node v xy . SKall , SKlh and SKrh denote the 
subset keys of subsets Sall , Slh and Srh, respectively. We omit “mod M” for 
simplicity. 
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u g K Pru , K p ** p ™, K PRlrPR2rPR3 ‘ , I\ Pru , K PRlrPR2 ‘, K Pru , SK rh , SKall 

3.1 The Attack 

In this section we present a concrete attack on the above example construction 
of HKL. This attack uses the secret indices possessed by two receivers, and de- 
rives indices and subset keys which have not been given to any of the colluding 
receivers. 

Suppose that two receivers u\ and u g in the example collude with each other. 
In other words, attacker Z knows the indices given to these receivers. We fo- 
cus on ui’s /ig, ( 58 , 9 S ) = K[ g Llr mod M, and u g ' s /ig,(i 8 , 9c ) = K Pru mod M. 
Since Plit and Pun are different public primes, Z can compute integers a and 
/?, such that aPLir + PPru = 1, using the extended Euclid’s algorithm [9]. 
Running time of the algorithm is O (log PfAr log Pru)- Here, either a or (3 
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must be positive, and the other must be negative. Z computes K\ g as fol- 

( \ —OL p 

/r^(58 l9fl )j ( 18 , 9 c)) mod M, otherwise 

K\ g = (lig t (5s,9g)) a (^1^(18 9c)) mod M. Note that Z can use the extended 
Euclid’s algorithm in order to compute the inverse of 4w58,9 g ) or A g ,(i 8 , 9 c)- 
Now, using K\ g and public primes, Z can compute any index Ik,(i,j), such that 
Vk = Vi g . Moreover, it is also easy to compute subset key SK from index 

It should be noted that other pairs of indices are also useful for this attack. For 
example, if Z uses tq’s K\ g' lr mod M and u^s K^g 11 mod M, the attacker can 
obtain Ads and compute any index Ikji.j), such that Vk = t>i8- There are pairs of 
receivers such that one of the pair has K ^ mod M and the other has K® s mod 
M, where gcd {D 1 ,D$) = D<p Using these indices, one can obtain K^ >< mod M 
and compute any index K j? v mod M such that Dq \ D n . The problem with HKL 
is that such index K® v mod M is used as a secret of other receivers. 

4 The Proposed Method 

Asano [2] has reported some facts about SD. One is that receivers belonging to 
subset Sij also belong to subset Sp^ f s(i)- Another is that there are two cases in 
which a label is obtained by a receiver: label LABELij is (case I) directly given 
to the receiver, or (case II) derived from another label using generator G by 
the receiver. However, there only exists case I for special labels LABE Li j , such 
that i is the parent of j. The third fact is that each receiver stores log N special 
labels. We apply the mechanism proposed by Nojima et al. [12] and Ogata et 
al. [13] to these special labels in SD to reduce the storage overhead. 



4.1 Setup 

1. TC defines a rooted full binary tree with N leaves. Each node is numbered 
l (l = 1,2,... , 2N — 1) where the root is 1 and other nodes are numbered with 
breadth first order. Receiver u m (to = 1,2,... , N) is assigned to each leaf in the 
tree. For each internal node i (i = 1,2,... , N — 1), TC defines subsets Sij = 
Si \ Sj, such that j is a descendant of i, in the same way as in SD. Let SSi^k 
denote a special subset such that i is the parent of k among all subsets. Note 
that each k (k = 2,3,... , 2 N — 1) appears exactly once in representations of all 
special subsets SSi TC also defines subset Si ^ including all receivers for the 
case where there are no revocations. 

2. TC selects parameters of RSA, i.e. modulus M and exponents e and d, and 
publishes M and e. It also publishes pseudo-random sequence generator G : 
{0,1} C i — ^ {0,1} 3C and pairwise independent hash functions H\ : {0, 1}I M I i— >• 
{0, 1} C and H 2 ■ {0,1}* 1 — > {0, 1}I M I, where C is the key size of an algorithm 
for encryption of secret information. TC generates Xk (k = 1, . . . ,2 N — 1) as 
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Fig. 3. A binary tree and receivers 



follows. It chooses a random value x\ € %* M and computes values from X 2 to 

X 2 N -1 as Xk = (x[k/ 2j + H 2 ( k)) d mod M. Then TC defines intermediate labels 
IL \ ,0 for subset Si t $, and IL^k for special subsets SSi^k- It sets ILi^ = x± and 
ILp(k),S{k) = Xk for k = 2, . . . ,2 N — 1. Note that the latter is also denoted as 
ILk, 2 k = X 2 k+i and IXfc,2fc+i = a; 2 k for k = 1, . . . , N— 1. Labels of these subsets 
are defined as LABELi ^ = Hi (ILi^) and LABELi k = Hi ( ILi ^)- 

3. Using generator G and special labels LABELi k, TC generates all labels 
LABELij for all subsets Si j. This process is the same as in SD. 

4. For receiver u m , TC tentatively selects labels which are given to u m in SD, 
except for label LABELi ,</>■ These are labels LABELij such that i is located 
on pathm and j is its descendant just hanging off path m . Among these selected 
labels, TC gives non-special labels to u rn . In addition, TC gives u m intermediate 
label /Lp( n ) j 5( n ), where n is a leaf to which u m is assigned. 

Example. Figure 3 depicts a binary tree with N = 16. In SD, receiver 114 
assigned to leaf 19 stores eleven labels: LABELi ,</> and LABELi ,j such that 
(ij) = {(1, 3) , (1, 5) , (1, 8) , (1, 18) , (2, 5) , (2, 8) , (2, 18) , (4, 8) , (4, 18) , (9, 18)}. 
In our method, receiver 114 stores intermediate label /Lgps and six labels: 
LABELi LABELi g,, LABELip 8, LABEL 2 $, LABEL 2 l is and LABEL 4 ig. 

4.2 Broadcasting 

The way to transmit secret information I is the same as in SD. Namely, TC finds 
an appropriate disjoint union of subsets which includes all unrevoked receivers 
but no revoked ones, encrypts / with each of the corresponding subset keys, 
and broadcasts the ciphertexts. The way to derive subset key SK, j from label 
LABELij is also the same as in SD, i. e. SKij = Gm {LABELi j). 

4.3 Decryption 

An unrevoked receiver belongs to a subset corresponding to the subset key used 
for encryption in the broadcasting phase. The way for the receiver to find an ap- 
propriate ciphertext to decrypt is the same as in SD. After finding the ciphertext, 
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the receiver derives the corresponding subset key SKij from its intermediate la- 
bel or another label as follows, then decrypts the ciphertext. 

Receiver u m checks that node j for subset Sij corresponding to subset key 
SKij used for the ciphertext is either (a) a descendant of node k (including 
the case j = k) such that u m stores label LABELi^, or (b) a descendant of 
node k (including the case j = k) such that subset S^k is a special subset 
and the corresponding special label LABELj k can be derived from its inter- 
mediate label IL P t n ),s(n) (in other words, j is equal to k or its descendant 
where k is the child node of i and not located on path m ). If no receivers are 
revoked and subset key SK-\ ^ is used, it is case (b). If the situation is case 
(b), u m derives intermediate label ILik from intermediate label IL P ^ n \s( n ) it 
possesses as follows. If i = P ( n ) and j = k = S (n), it already has ILi^- Oth- 
erwise, u m computes intermediate label Ikp(p( n )),s(P(n)) as ILp(P(n)),s(P(n)) = 
((lL P (n),S(n)) ~ H 2 ( n)) mod A I. By repeating this operation, u m can com- 
pute any intermediate label corresponding to a special subset to which it be- 
longs. Namely, /Lp (P(t))jS (p(t)) = ((/Lp (t)>s(t) ) c - H 2 {t)) mod M, where t is 
a node on path m . Intermediate label ILi ^ is also derived from ILi 2 or IL\ 3 
as = ((ILi t2 ) e — H 2 (3)) mod M = '((/L 1>3 ) e — H 2 (2)) mod Al. After ob- 
taining ILi k, it derives the corresponding label as LABELi ^ = H\ (iXj^). 

The remaining process is common to both cases (a) and (b), and it is the 
same as in the original SD: the receiver applies generator G to label LABELi ^ 
at most logiV times to obtain LABELij, then derives subset key SKjj = 
Gm ( LABELij ) for decryption of the ciphertext. 

5 Discussion 

5.1 Security 

The subset keys in our method are generated in three steps: (Step 1) special label 
LABEL it k for special subset SSi t k is generated using the mechanism based on 
trapdoor one-way permutations, (Step 2) label LABELi j for non-special subset 
Sij is derived from the special label with generator G, then (Step 3) subset key 
SKi j is computed from label LABELi j using G. 

The mechanism for derivation of special labels was proposed by Nojima et 
al. [12] and Ogata et al. [13] independently. They used this mechanism for 
node keys in CS. Nojima et al. demonstrated the intractability of node keys 
in their method, under the assumption that RSA is secure. Namely, if there ex- 
ists polynomial-time algorithm A that outputs a node key which is not known 
to any of the colluding revoked receivers, given all node keys known to the coali- 
tion with probability P4 , we can construct poly-time algorithm B that computes 
x d mod M for any x with probability Pg > j^Pa- Ogata et al. constructed a 
similar scheme without using hash function H 2 , and showed that the security of 
their scheme is still equivalent to RSA. These analyses show that it is difficult 
for any coalition of receivers to obtain intermediate label ILi ,k corresponding to 
special subset SSi ^ to which no receivers in the coalition belong. Special label 
LABELi^ is derived from the intermediate label as LABELi k = Hi ( ). 
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Since the output of H\ is pairwise independent, it is also difficult for any coalition 
with no receivers belonging to SSi t k to obtain LABELik- 

Since the process in Steps 2 and 3 is the same as in SD, the discussion of the 
security of SD given in [10] is applicable to these steps. The combination of this 
and the above discussions shows the intractability of subset keys in our method. 
To conclude, we say that our method is secure against any coalition of revoked 
receivers if RSA is secure. 

5.2 Communication Overhead 

Since our method adopts the same way for sending secret information as SD, 
the communication overhead is also the same. Namely, the upper bound of the 
number of ciphertexts is 2 r — 1, where r is the number of revoked receivers. 

5.3 Storage and Computational Overhead 

We first consider the size of the receiver’s secure memory for storing labels. 
Recall that the number of labels a receiver stores is | log 2 N + | log N + 1 in S D . 
log N of them are special labels and another label is LABELi ^. In our method, 
a receiver drives these log N + 1 labels from an intermediate label. Therefore 
the total number of labels and the intermediate label a receiver stores becomes 
| log 2 N — | log N+ 1. Since the derivation mechanism is based on RSA, the size 
of the intermediate label is the size of a secure RSA modulus. Recall that SD-MK 
denotes the modification of SD proposed in [2], using the master-key technique. 
If we consider an example with the same parameters as in [2], i.e. N = 2 25 , 
\LABELij\ = C = 128 bits and \ILij\ = \M\ = 1024 bits, then the size of 
the secure memory of the receiver in our method is about 5.5% smaller than in 
SD, and it is the same reduction rate as SD-MK. However, the computational or 
non-secret storage overhead in ours is far smaller, as discussed below. 

SD-MK uses 2 N — 1 primes as public information in total, and each receiver 
needs the unique combination of log N + 1 primes. Receivers must store them 
(which increases the non-secret storage overhead) or generate them by calcu- 
lation (which increases the computational overhead). On the other hand, our 
method uses only one public exponent e. It reduces the non-secret storage or 
computational overhead significantly compared with SD-MK. 

Next, let us study the computational overhead. In order to derive a spe- 
cial label from an intermediate label, the receiver in our method performs at 
most log N executions of modular exponentiation with index e. Similar to usual 
RSA applications, we can use a special value for e which reduces the computa- 
tional cost. We estimate the cost for an evaluation of modular exponentiation 
at O (log 2 M). After deriving the targeted intermediate label, the receiver feeds 
the intermediate label into pairwise independent hash function Hi. It has been 
reported in [11] that the computational overhead for an evaluation of such a func- 
tion is much smaller than modular exponentiation, thus we ignore it. In total, 
the computational overhead of the receiver in our method is O (log N log 2 M). 

Here we consider SD-MK. It has been reported in [2] that the computational 
overhead for the generation of primes for a receiver in SD-MK is O (log 5 N) . 
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Even if the receiver stores these primes in order to avoid generating them, it still 
needs O (log 2 N log 2 M) computation for derivation of the subset key. Hence, 
our method is much more efficient than SD-MK by at least a factor of log AT. 

Note that the receiver must derive a special label only in case (b) in the 
decryption phase. In addition, in either case (a) or (b), the receiver must compute 
the subset key from the derived special label or the non-special label it stores 
using generator G at most log N times, which is also necessary in SD and SD-MK. 

6 Modification of the Layered Subset Difference Method 

6.1 The Basic LSD Method 

Suppose that log 1 / 2 N is an integer. BLSD defines the level of the root and every 
level of depth l log 1 / 2 N for l = 1, 2, ... , log 1 / 2 N as special. It also defines the 
collection of levels between (and including) adjacent special levels as a layer. 

Subset Sij defined in BLSD satisfies at least one of the following additional 
conditions: both i and j belong to the same layer, or i is located at a special 
level. Namely, BLSD adopts stricter conditions for subsets than SD. It reduces 
the number of labels a receiver stores. It has been reported in [2] that the number 
of labels for a receiver in BLSD is log 3 / 2 N + 1. 

Consider two nodes i and j such that j is a descendant of i but do not 
satisfy either of the above two conditions. Although subset Sij is defined in SD, 
it is not defined in BLSD and must be represented using two defined subsets 
as Sij = Si t k U Sk,j, where k is the first node on the path from i to j which 
is located at a special level. As a result, the communication overhead of BLSD 
becomes at most twice that of SD. 

6.2 Modification of the Basic LSD Method 

Our modification of SD adopts the mechanism using trapdoor one-way permu- 
tations in order to derive log N + 1 labels from an intermediate label, which 
can be applied directly to BLSD. We avoid giving a detailed construction of our 
modification of BLSD, since it is almost same as the modification of SD. Recall 
that SD and BLSD differ only in the conditions for subsets. This relationship is 
also applicable to our modifications of these methods. 

Let us consider the example tree illustrated in Fig. 3 again. There exist three 
special levels: the level of the root, nodes 4 to 7, and the leaves. In the original 
BLSD, receiver 114 stores nine labels: LABEL 1 $ and eight labels LABELij 
such that (t, j) = {(1, 3) , (1, 5) , (1, 8) , (1, 18) , (2, 5) , (4, 8) , (4, 18) , (9, 18)}. On 
the other hand, receiver U 4 in our method stores only four labels (LABELij, 
LABELi Si LABELi is and LABEL^jg) and intermediate label ILgjg. 

It has been reported in [2] that the number of special labels the receiver stores 
in BLSD is log N. In our modification, the receiver can derive these special labels 
and label LABELij from its intermediate label. Therefore, the total number of 
labels and the intermediate label for the receiver becomes log 3 / 2 N — log N + 1, 
which is eliminated by logN from BLSD. If we consider the same parameters 
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again, i ,e.N = 2 25 , \LABELij\ = C = 128 bits and = \M\ = 1024 bits, 

then the total size of labels a receiver stores is 14% smaller than that in BLSD. 
While this reduction rate is the same as in the modification of BLSD proposed 
in [2] based on the master-key technique, the advantage of our method is the 
non-secret storage and computational overhead, as noted in Section 5.3. 

Our modification only changes the mechanism for generation of labels and 
it does not affect the communication overhead. The discussions of the security 
and the storage and computational overhead in our modification of SD given in 
Section 5 are directly applicable not only to the modification of BLSD but also 
to the modification of GLSD which will be presented in Section 6.4. 

6.3 The General LSD Method 

GLSD uses several kinds of special levels and stricter conditions for subsets than 
BLSD. Halevy et al. [7] have provided the following explanation. The path from 
the root to a leaf in a tree is considered as a line graph. A node in the graph, 
which corresponds to a node in the tree, is represented by its distance from the 
root, expressed as a d digit number in base b = O ^log 1 ^ N^j . For example, the 
root in the tree is represented by 0 ... 00, and its child node is 0 ... 01, etc. 

Subset Sij in BLSD satisfies the following condition: if node i in the graph 
is represented as a d digit number in base b by A? alt then node j must be rep- 
resented either by x + 10 0 or by any number x a ' ^ where a is the rightmost 
nonzero digit, x is a sequence of arbitrary digits, 0 is a sequence of zeroes, 
a' > a, and if is an arbitrary sequence of digits of the same length as 0 . Note 
that the number of trailing zeroes in the representation of node i determines 
how special it is. j of defined subset Sij can be any node from i + 1 to the first 
node which is even more special than i, inclusive. 

Any subset in SD can be represented as a disjoint union of at most d subsets 
in GLSD. Thus the communication overhead of GLSD is d times larger than 
that of SD. As we enlarge parameter d, the number of labels a receiver stores 
decreases, and finally it becomes O (log 1+€ N) , where e > 0 is an arbitrary value. 

6.4 Modification of the General LSD Method 

We can apply the same mechanism to GLSD in order to reduce the number of 
labels a receiver stores, as we have already done to SD and BLSD. Note that 
the difference between BLSD and GLSD is only the condition for defined subsets. 
Therefore we omit a detailed description of our modification of GLSD in order to 
avoid redundancy. We just say that it is constructed with the same mechanism 
for deriving special labels from an intermediate label. 

As reported in [2], the receiver in GLSD stores the same number of special 
labels as SD and BLSD, i. e. log A”. Our modification eliminates these logiV 
special labels and label LABEL from the receiver’s storage in exchange for 
an addition of the intermediate label. Recall that the receiver stores O (log 1+e iV) 
labels in GLSD, where e is an arbitrary positive value. Therefore, this reduction 
can be very significant. This reduction rate is the same as the modification of 
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GLSD proposed in [2], however our method is more efficient with regard to the 

non-secret storage and computational overhead, as discussed in Section 5. 
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Abstract. It was shown in [K. Kurosawa et al., Proc. PKC’02, LNCS 
2274, pp. 172-187, 2002] that a public-key ( k , n)-traitor tracing scheme, 
called linear-coded Kurosawa- Desmedt scheme, can be derived from an 
[n, it, d]-linear code such that d > 2k + 1. In this paper, we show that 
the linear-coded Kurosawa-Desmedt scheme can be modified to allow 
revocation of users, that is to show a revocation scheme can be derived 
from a linear code. The overhead of the modified scheme is very efficient: 
there is no extra user secret key storage, the public encryption key size 
remains the same, and the ciphertext size is of length O(k). We prove 
the modified scheme is semantically secure against a passive adversary. 
Since the Boneh-Franklin scheme is proved to be equivalent to a slight 
modification of the corrected Kurosawa-Desmedt scheme, we show that 
we can also modify the Boneh-Franklin scheme to provide user revoca- 
tion capability for this scheme. We also look at the problem of permanent 
removing a traitor in the Boneh-Franklin and prove some negative re- 
sults. 



1 Introduction 

Digital content distribution is an important application of global networking. 
In such an application, data suppliers want their digital content to be available 
to authorized users only. The number of authorized users is large enough so 
that broadcasting data is much more efficient than establishing a secure channel 
between the data supplier and each individual authorized user. 

In a public-key (At, n)-traitor tracing scheme, there are n users, each holds a 
secret decryption key (or a decoder device) . The encryption key is made public 
and the data supplier can use this public key to encrypt the digital content 
and broadcast the corresponding ciphertext. Authorized users, using their secret 
decryption keys, should be able to decrypt the broadcast messages. If a coalition 
of up to k users collude to form a pirate decryption device, upon capturing this 
pirate device, the system uses tracing algorithm to identify at least one of the 
colluders. 

Kurosawa-Desmedt [12] and Boneh-Franklin [2] proposed public key traitor 
tracing schemes based on the difficulty of decision Diffie-Hellman problem. To 
avoid linear attack [18,2], the Kurosawa-Desmedt scheme is modified to become 
the corrected Kurosawa-Desmedt scheme. It is an important property that the 
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corrected Kurosawa-Desmedt scheme can be generalized to use any linear code. 
It is shown that a public-key (k, n)-traitor tracing scheme, called linear-coded 
Kurosawa-Desmedt scheme [13], can be derived from an [n, u, d]-linear code such 
that d > 2k + 1 and the Bonelr-Franklin scheme is equivalent to the linear-coded 
Kurosawa-Desmedt scheme where Reed-Solomon code is used. 

In both Kurosawa-Desmedt and Boneh-Franklin schemes, broadcast data 
can be decrypted by all legitimate users and it is not possible to target the data 
to a subgroup of users. Trace and revoke schemes [1,7,16,22,21,17,20,5,6,19,11] 
have the extra property that users can be revoked and so the broadcast targeted 
to a subgroup of users. In schemes [1,7,16,22,21] the encryption key is secret so it 
only supports one data provider. The scheme [5] by Dodis et al is the first trace 
and revoke scheme that has CCA2 security. The scheme [11] by Kim et al is a 
modification of Dodis scheme, it has CCA2 security and the ciphertext size is half 
that of Dodis’s scheme. Most of public-key revocation schemes are polynomial 
based that make use of the Shamir’s secret sharing technique, in which there 
is a correspondence between the secret key held by each user with a value of 
the polynomial at a specific point; and when a user is revoked, the information 
of the polynomial value corresponds to the revoked user is broadcasted in the 
ciphertext. 

In this paper, we show that the linear-coded Kurosawa-Desmedt and the 
Boneh-Franklin schemes can be modified to have user revocation capability. 
It is interesting that in modifying these schemes we do not introduce any more 
complexity in the key generation process. Users will keep exactly the same secret 
keys as the original schemes. The public encryption key in the linear-coded 
Kurosawa-Desmedt remains the same as it is in the modified scheme. For the 
Boneh-Franklin scheme, only one more group element is added into the public 
encryption key. The ciphertext size is as efficient as other revoke schemes [17, 
20,11,19,6]. For a tracing threshold k, our modified schemes can afford up to 
2k — 1 user revocation and the ciphertext consists of 2k field elements and 2k + 2 
group elements. We also prove the semantic security for our proposed revocation 
schemes. 

Dodis et al. [6] introduced the notion of scalable system. A broadcast system 
is server-side scalable if any party can broadcast messages, this can be accom- 
plished by using public key approach. A broadcast system is client-side scalable 
if it supports increasing number add-user and remove-user operations. Our pro- 
posed revocation schemes are server-side scalable but not client-side scalable 
since they cannot remove more than 2k users. The only known scalable scheme 
is the Dodis et al. scheme [6]. In this paper, we look at the possibility of repeat- 
edly permanent-removing users by modifying only the public key and public 
parts of users keys. If it is possible to do so then we would have a client-side 
scalable scheme. Unfortunately, we prove that it is not possible, at least, for 
the Boneh-Franklin scheme. We consider the first case when we remove a user 
by modifying only the public encryption key so that the decryption key of the 
removed user become invalid in the new encryption-decryption system, however, 
the remained non-removed users should have their decryption keys remain valid. 
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We show that it is impossible to do so. The second case we consider is to remove 
a user by modifying the public encryption key and the public parts of users keys 
(which are the rows of the public matrix) . We show that it is also impossible to 
do so in this case. 

The rest of the paper is organized as follows. In section 2, we give a model of 
traitor tracing scheme. The Boneh-Franklin scheme, the corrected Kurosawa- 
Desmedt and the linear-coded Kurosawa-Desmedt schemes are reviewed in sec- 
tion 3. In section 4, we present revocation functionality for these three schemes. 
In section 5, we look at the problem of permanently removing a user in the 
Boneh-Franklin scheme and prove some negative results. 

2 Preliminaries 

An [n, u. d]-linear code is a linear code contains n codewords, dimension u and 
the minimum Hamming distance d. The parity check matrix for an [n, u, d]-linear 
code is a matrix of size (n — u) x n and any d — 1 columns vectors are linear 
independent. The notation • denotes the inner product of two vectors. 

Let q > n be a prime number. Let G q be a group of prime order q. The 
Decision Diffie-Hellman problem in G q is to determine whether w = uv given 
g, g u , g v , g w where g is chosen random from G q and u,,v,w are chosen random 
from Z q . 

2.1 Model of Traitor Tracing 

A (fc, n)-traitor tracing scheme with revocation has four components. 

Key Generation: given a security input P, the key generation procedure out- 
puts an encryption key PK and n user decryption keys SK \ , ..., SK n . The 
encryption key PK is made public so any data supplier can use it to broadcast 
data. Decryption key SK, is given to the user i to keep secretly. 

Encryption: taken as input a message M, the encryption key PK and a revoked 
set of users f?, the encryption procedure £ outputs the corresponding ciphertext 
C = £pk(R, M). If the scheme do not support revocation (for instance, the 
linear-coded Kurosawa-Desmedt scheme and the Boneh-Franklin scheme) then 
R is always an empty set. 

Decryption: taken as input a ciphertext C = £pk(Ri M) and a decryption key 
SK, , the decryption procedure V outputs the message M if i ^ R. 

Traitor Tracing: if up to k users collude to form a pirate decryption box then 
upon capturing this pirate device, the traitor tracing procedure can identify 
at least one of the colluders. It is assumed that the pirate decryption box is 
resettable to the initial state. 

There are two types of tracing: open-box tracing and black-box tracing. In open- 
box tracing, it is assumed that the pirate box can be opened and the pirate 
keys inside the box can be obtained. In black-box tracing, the tracing algorithm 
cannot open the decoder box and access the stored keys. However it can make 
queries and see the responses. That is, it can send encrypted contents to the box 
and see the outputs of the box. 
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3 Previous Public-Key Traitor Tracing Schemes 

In this section, we look at three public-key traitor tracing schemes: the Boneh- 
Franklin (BF) scheme [2], the linear-coded Kurosawa-Desmedt (LC-KD’) scheme 
and the corrected Kurosawa-Desmedt (corrected KD) scheme [13]. 

3.1 Boneh— Franklin Scheme 

Below is the description of the Boneh-Franklin traitor tracing scheme for n users 
and collusion threshold k. 

Key Generation: Let G q be a group of order prime q and g be a group gener- 
ator. It is assumed that the Decision Diffi e-Hellman problem in G q is hard. 

Let A be the following (n — 2k) x n matrix 

1 1 1 ... 1 

1 2 3 . . . n 

1 2 2 2 3 2 n 2 

1 3 2 3 3 3 n 3 

-^n—2k— 1 2 n_ 2 fc — 1 ‘^n—2k—l ^n—2k—l 

Since A has full rank, the equation Ax = 0 has a nullspace of dimension 2k. Let 
r be an n x 2k matrix whose columns are 2k independent solutions x\, . . . , X2 k 
of Ax = 0. Let 7 ^, . . . , 7 *") denote the n row vectors of r, each of length 
2k. The matrix r is made public. 

Choose random b = (bi , . . . , b 2 k) G Z 2fc . Let r b = e = (ei, . . . , e n ). Let hi = 
g bl , . . . , h‘2k = g b2k ■ Choose random rq, . . . , r 2 fc in Z g and let y = /i ] 1 . . . ■ 

We have y = g a with a = biri + . . . + 6 2 fcr 2 fc. (It is commented in [13] that, it is 
redundant to store system secret values r l5 . . . , r 2 fc. Instead, we can just choose 
a random a and let y = g a .) 

Public encryption key is PK = (y, hi , . . . , /i 2 fe). 

Note that the matrix r is made public. 

User secret decryption keys. For each 1 < i < n, let ty = a/e*. Decryption 
key for user i is the vector 0 W = This decryption key can be thought 

of as two-part key. The first part is the row vector 7 W of the public matrix P. 
User i only needs to keep the second part v t secret. 

Discrete Log (DL) Representation. A vector 9 = (9i, 0 2 , . . . , 62k) G Z 2fc satisfying 

y = h{'bS?...t%£ ( 1 ) 

is called a DL-representation of the DL-element y with respect to the DL-base 
hi, . • • , ti2k- The condition (1) is equivalent to 

a = 9 ■ b = 6\bi + . . . + 02 fc^ 2 fc • (2) 

We note that the decryption key for user i, 9 = v t 7 -*) G Z 2fe , is a scalar 
multiple of the i th row vector 7 W of the matrix P. It is also a DL-representation 
of y with respect to hi, ... , h.2k since, 9^ ■ b = Vi ( 7 ^^ ■ b) = = a. 
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Encryption: a message M £ G q is encrypted as 

( My r , h\,h r 2 , . . . , h 2k ) 

where r is randomly chosen in Z q . 

Decryption: Any DL-representation 9 £ of y with respect to hi, . . . , h 2 k 
can be used to decrypt 



Decryption key of each user is a DL-representation so they can use it to decrypt 
the ciphertext. 

Traitor tracing: a collusion of c users can generate a pirate key from their c 
keys Q^ Ul \ . . . , #(“<=) as follows 

@ pirate = 9^ Ul ^ + . . . + /i c 9^ Uc \ where fii + . . . + fi c = 1 . 

The pirate key 9 p i rate is called a convex combination of the colluders’ keys 9^ Ul \ 
. ... 9^ Uc \ It is easy to verify that 9 pirate is a DL-representation of y with respect 
to hi, ... , h- 2 k- Since 9^ is a scalar multiple of the pirate key 9 pirate is a 
linear combination of 7 ^ Ul \ . . . , Uc \ The BF tracing algorithm bases on this 
fact. It uses the Berlekamp’s algorithm to identify all of the colluders U\, . . . , 
u c . In Berlekamp’s algorithm, given a linear combination of . . . , as 

input, it outputs all the indices Ui, . . . , u c . 

3.2 Linear-Coded Kurosawa Desmedt (LC-KD’) Scheme 

Below is the description of the LC-KD’ scheme for n users and collusion thresh- 
old k. 

Key Generation: Let G q be a group of order prime q and g be a group gener- 
ator. It is assumed that the Decision Diffie-Hellman problem in G q is hard. 

Let C be an [n,u,d ]~ linear code over Z q whose distance d > 2k + 1. Let 
m = n — u, we have m> d — 1 > 2k. (In the corrected KD scheme, it is chosen 
that m = d — 1 = 2k.) Let H be the parity check matrix for C. Let F = H T then 
r is a matrix of size n x m. Let 7 (1 ), 7 ^, . . . , 7 ^ denote the n row vectors of 
r, each of length m > 2k. Any {d — 1) rows of r are linear independent. 

Choose random b = (bi , . . . , b m ) £ Z" 1 such that 7 W • b ^ 0 for i = 1, . . . , n. 
Let hi = g bl , . . . , h m = g bm , and F b — e = (ei, . . . , e n ). Then e* = 7 W • b ^ 0 . 
Public encryption key is PK = (g, hi, . . . , h m ). 

Note that the matrix P is made public. 

User secret decryption keys. The decryption key for user i is e,. 
Encryption: a message M £ G q is encrypted as 

( Mg r , h\,h r 2 , . .. ,h r m ) 



where r is randomly chosen in Z q . 
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Decryption: Each user i uses the i th row of T, 7 M, and his secret e, to decrypt 
as follows 



M = 



Mg r 



,,(*) 



(.0 



{KV F 



t/e. 



3.3 The Corrected Kurosawa Desmedt Scheme 

The corrected KD scheme chooses an [n, n — 2k, 2k + 1]-Reed Solomon code. 
The matrix r in this case has size n x 2k and the * th row vector of r is 7 W = 
(1, i, i 2 , . . . , i 2k ~ 1 ). Let f(x) = b\ + b^x + . . . + & 2 fc £ 2fc_ 1 then in the matrix 
equation F ■ b = e = (ei, . . . , e„) we have e, = 7 ^ • b = f(i). Thus, the secret 
key for user i is the polynomial value e, = /(*). 

Encryption: a message M £ G q is encrypted as 

{g r ,Mh[,h r 2 ,...,h r 2k ) 

where r is randomly chosen in Z q . 

Decryption: Each user i uses the secret key e* = f(i) to decrypt as follows 

(gr)f(i) 

4 Modified Schemes with Revocation 

In this section, we show that revocation schemes can be derived from linear 
codes. We propose revocation technique for the three schemes: the linear-coded 
Kurosawa-Desmedt scheme, the corrected Kurosawa-Desmedt scheme and the 
Bonelr-Franklin scheme. The advantage of the proposed schemes is that no user 
secret keys needed to change. There is no changes in public encryption keys, 
except in the BF scheme, a single group element is added to the public key. The 
security is provable (semantic security against passive adversary) . The proposed 
revocation schemes are threshold schemes, up to 2k — 1 users can be revoked 
where k denotes the collusion threshold. Broadcast ciphertexts contain 2k field 
elements and 2k + 2 group elements which is as efficient as other revocation 
schemes such as Naor-Pinkas [17], Tzeng-Tzeng [20], To et al [19], and Kim et 
al [ 11 ], 

4.1 LC-KD’ with Revocation 

Revocation: Let R be a subset of {1, . . . ,n} such that 1 < \R\ < 2k. R rep- 
resents the set of revoked users. Choose (3 = (/?i, . . . , /3 m ), such that in the 
equation r ■ j3 = e = (ei, , e„), we have e* = 0 if and only if i £ R. This can 
be done because any 2k rows of T are linear independent. 

Let r]i = g 01 , ..., T] m = g 0m . 
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A message M G G q is encrypted as 



( 1 ,Mg r2 ,/3 1 ,...,/3 m , ,...,/«> 



where ri, r 2 are random numbers in Z q . 

Decryption. User i first calculates e, = 7 M . fj. If e ,j = 0 then i is revoked. 
Otherwise, i R, and user i can use secret value e, and the vector 7 M of the 
public matrix U to decrypt 






(g ri Y 



1 /e* 






(0 



(0 



= M 






4.2 The Corrected Kurosawa Desmedt Scheme 

If i? = {ii, . . . ,i c }, 1 < c < 2k , is the revoked user set then in the revocation 
procedure we need to find a vector /3 = (/3i, . . . , /?2fc) such that in the equation 
r ■ (3 = e = (ei,...,e n ) we have e* = 0 if and only if i G R. Consider the 
polynomial g(x) = j3\ + (3 2 x + . . . + #2 fc a; 2 * 5-1 formed by the vector (3. We have 
e,; = 7^ • /3 = <7(1). Thus g(i) = 0 if and only if * G ii. That means g(x) can 
be written as g(x) = (x — ii) . . . (x — i c )z(x) where z is a polynomial of degree 
up to 2k — c whose roots are not in the set U = {1, . . . , n}. In particular, if the 
number of revoked user is 2k then z(x) is a non-zero number in Z q . 

In summary, for the corrected KD scheme, the revocation procedure is as 
follows. 

Revocation. Let R = {i\ , * c }, 1 < c < 2k, be the revoked user set. Choose 
a random polynomial z{x) of degree up to 2 k — c such that z(i) ^ 0 for all 
i = 1, • • • , n. Let g[x) = (a; — i\) . . . (x — i c )z(x) = (3\ + P 2 x + . . . + P 2 k a; 2fc_1 . 
Let 77! = g 01 , . . . , g 2 k = g 02k ■ 

A message M G G q is encrypted as 

( g r 1 , M g r2 , ft , . . . , p 2k ) 

where r 1, r 2 are random numbers in Z q . 

Decryption. User i first calculates e, = g(i) = ft + ft i + . . . + ft*, i 2fe_1 - If 
g(i) = 0 then i is revoked. For i ^ R, a = g(i) = (i — ii) ...(* — Y 0- User 

i then uses secret value e, = f(i) to decrypt 

/ (g r DiW 

( M n r 2 i I ^ - 

1 91 > uwxwww )* 2 ■ • • (Kiviir *- 1 




4.3 BF with Revocation 

For the BF scheme, the public encryption key is slightly changed. A single group 
element is added to the encryption key. 

The new encryption key is PK' = (c/i, y, hi , . . . , h 2 k)- 

The added element g\ is an arbitrary generator of G q , indeed, we can choose 
3i = 3- 
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Revocation. Let R be a subset of {1, . . . ,n} such that 1 < |i?| < 2k. R rep- 
resents the set of revoked users. Choose (3 = ((3\, . . . , /? 2 fe), such that in the 
equation T ■ (3 = e = (e i, . . . , e n ), we have e,: = 0 if and only if i £ R. This can 
be done because any 2k rows of T are linear independent. 

Let ? 7 i = sf\ ...,r] 2 k = 

A message M e G q is encrypted as 

( y" , M g{ 2 , fix, . . . , p 2k , h] 1 g ? , . . . , h r 2 lv r 2 % ) 



where rq, r 2 are random numbers in Z q . 

Decryption. User i first calculates e, = 7 M • f3. If et = 0 then i is revoked. 
Otherwise, i ^ R, user i can use his decryption key 9^ = Vi'y^ to decrypt 



(Mg?) 






1/OiCi) 

= M . 



4.4 Semantic Security for Revocation 

We show that the proposed revocation schemes are semantically secure against 
a passive adversary who controls up to 2k — 1 users assuming the difficulty of 
the DDH problem in the group G q . We give a security proof for the linear- 
coded Kurosawa-Desmedt (LC-KD’) scheme. The proof can be easily adjusted 
for other schemes. 

Model of Adversary. The following game models an Adversary A who controls 
up to 2k — 1 users and an Oracle who represents the revocation scheme. 

1. Adversary adaptively chooses a set -4 users of up to 2k— 1 users that it controls. 

2. Given A US ers 5 for a given security parameter A, the Oracle runs the key 
generation procedure and gives the Adversary the public encryption key 
together with all secret keys of the users in A US er S under the control of the 
Adversary. 

3. The Adversary then produces two challenge messages M 0 and Mi and gives 
them to the Oracle. 

4. The Oracle selects a random bit r £ {0, 1} and gives the Adversary back the 
ciphertext of M r encrypted with the revoked set R = _4 use rs- 

5. The Adversary output a bit r' . 

The advantage of the adversary A is defined as Adc^(A) = \Pr(r = r') — l/2\. 
We say that the revocation scheme is semantically secure if Adv^(X) is negligible. 

Theorem 1 states that the linear-coded Kurosawa-Desmedt revocation 
scheme is semantically secure, the proof is given in the full version of the paper. 

Theorem 1. The LC-KD ’ revocation scheme is semantically secure against a 
collusion of up to 2k — 1 revoked users assuming the difficidty of the DDH prob- 
lem. 
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5 Permanent User Removal 

In a revocation scheme, we can remove a traitor permanently by always including 
the traitor in the revoked user set. However, in a threshold revocation scheme 
such as our proposed schemes, the number of revoked users is limited so we can- 
not use it to remove many traitors. Dodis et al. [6] define a scheme to be scalable 
if any party can broadcast messages using public key ( server-side scalable) and 
if it supports increasing number of add- user and remove-user operations {client- 
side scalable). 

Our proposed revocation schemes are server-side scalable but not client-side 
scalable since they cannot remove more than 2k — 1 users. The only known 
scalable scheme is the Dodis et al. scheme [6]. In this scheme, everytime after 
removing v users, it allows legitimate users update their secret keys. So the time 
line is divided into many “windows” , and in each window, v users are removed. To 
calculate new secret key, legitimate users need to use their old secret key together 
with a single update information broadcasted by the system administrator. The 
only problem with this scheme is, in each key update time, the same update 
information is used for all users. Even a revoked user, if by any chance he has 
this update information, he can use it to update his key to a valid key in the new 
session. Therefore, as emphasized in their paper, the Dodis et al. scheme is only 
secure against window adversary. That is, it is secure against up to a threshold 
of v revoked users who are subsequently revoked in the same window. This make 
the scheme vulnerable under the collusion of as small as two revoked users who 
are revoked in two different windows. It remains as an open problem to design 
a scalable scheme that is secure against a collusion of a threshold number of 
arbitrary revoked users. 

In this section, we look at the possibility of repeatedly removing permanently 
users by modifying only the public key and public parts of users keys. If it is 
possible to do so then we would have a scalable scheme. Unfortunately, we prove 
that it is not possible, at least, for the BF scheme. Section 5.1 considers the case 
when we remove a user by modifying only the public encryption key. Section 5.2 
considers the case when we remove a user by modifying the public encryption 
key and the public parts of users keys (which are the rows of the public matrix). 



5.1 Modifying Public Key, Keeping User Keys Unchanged 

Consider the Bonelr-Franklin scheme. Let y = g a , hi = g hl , /i 2 = g b2 , ..., 

h' 2 k = g b2k be the current public encryption key. The user decryption key is 
g(i) = w . 7 «. 

For simplicity, assume now we want to remove user n. We want to change 
the public encryption key become y' = g a , h\ = g bl , h' 2 = g b2 , . . . , h' 2k = g b2k . 

For each i = 1, . . . , n— 1, in order to have user i remained valid, the decryption 
key must be a DL-representation of the new DL-element y' with 

respect to the new DL-base h[ , . . . , h' 2k . Therefore, 



a' = ■ h' = Vi { 7 (i) b'), V/= l....,,u • 1 . 




